Language Selection

English French German Italian Portuguese Spanish

Visa to Bar Transactions by Processor

Filed under
Security

Visa USA said yesterday that it would stop allowing the payment processor CardSystems Solutions to handle its transactions, months after the processor left the records of millions of cardholders at risk for fraud.

"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations in a memorandum sent to several banks. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."

Cardholders and merchants should not be affected by the change.

Visa said its decision to remove CardSystems came after a review and an independent investigation found that the payment processor had improperly stored cardholder data and did not have the proper controls in place.

It is unclear if MasterCard and American Express will take similar action, but with Visa accounting for more than half of all card transactions, the move raises questions about the future of CardSystems.

"I've never heard of them booting off a processor," said Avivah Litan, a security analyst at Gartner Inc., a technology research group. "The worst thing that I've heard is a processor that had to cough up $1 million."

The move came at least two months after Visa first learned that data had been compromised and just days before its executives, along with those of other major card companies, have been called to testify in Washington about their security practices. The chief executive of CardSystems, John M. Perry, is also expected to testify on Thursday.

In a statement released yesterday, CardSystems said Visa's decision was unexpected and upsetting. "We are disappointed and very surprised that Visa has decided to take this action today, not only because of the impact that it will have on our employees, but the disruption that it will cause to our 110,000 merchant customers," the processor said in a statement. "We hope that Visa will reconsider."

Visa has given at least 11 banks, which hired CardSystems to handle the merchant transactions, until the end of October to change processors, the memo said. Until then, CardSystems will be allowed to process Visa transactions as long as it has corrected any problems and allows a Visa-affiliated monitor on site to oversee its operations in Tucson. CardSystems is also banned from handling Visa transactions from its international affiliates or any new merchants, processors or member banks in the United States.

Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May.

Visa, however, said that despite "some remediation efforts" since the incident was reported, the actions by CardSystems were not enough.

"Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on member financial institutions and merchants as well as the significant concerns it raised for cardholders," the company said in a statement.

At this point, it is unclear what the other branded card companies will do. MasterCard has previously said that it was giving CardSystems a "limited amount of time to demonstrate compliance with MasterCard security requirements" but never laid out a specific timetable.

Sharon Gamsin, a MasterCard spokeswoman, did not return calls seeking comment. Judy Tenzer, an American Express spokeswoman, said the company did not comment about its relationships with vendors. Leslie Sutton, a Discover Financial spokeswoman, could not offer an immediate response.
Visa's decision is the latest development since the disclosure in mid-June that the CardSystems computer network had been compromised, putting the cardholder names, account numbers and security codes of as many as 40 million credit and debit cardholders at risk for fraud. The information of about 22 million Visa cardholders was exposed; MasterCard reported the data of 14 million of its cardholders was potentially at risk; and the rest largely belonged to customers of American Express and Discover.

At the time, Mr. Perry of CardSystems acknowledged that the company had been improperly storing data, violating Visa and MasterCard security rules. He said data thieves directly obtained information related to some 200,000 cardholder accounts. The F.B.I and a group of federal banking regulators are now investigating.
In its statement, Visa offered its most scathing indictment of those security violations to date. The chief executive of CardSystem had "stated that the company knowingly retained unmasked magnetic stripe cardholder data, purportedly for 'research purposes,' " Visa said. "Visa's security requirements were adopted precisely for the purpose of protecting cardholder information and guarding against the type of data compromise recently experienced by CardSystems."

In the letter Visa sent to the banks, Mr. Murphy suggested that the data breach occurred as early as August 2004.

By ERIC DASH
The New York Times.

More in Tux Machines

Ubuntu: Snapcraft, Intel, AMD Patches, and Telemetry

  • SD Times Open-Source Project of the Week: Snapcraft
    Canonical, the company behind operating system and Linux distribution Ubuntu, is looking to help developers package, distribute and update apps for Linux and IoT with its open-source project Snapcraft. According to Evan Dandrea, engineering manager at Canonical, Snapcraft “is a platform for publishing applications to an audience of millions of Linux users.” The project was initially created in 2014, but recently underwent rebranding efforts.
  • Ubuntu 16.04 LTS Now Certified on Select Intel NUC Mini PCs and Boards for IoT Development, LibreOffice 6.0.5 Now Available, Git 2.8 Released and More
    Canonical yesterday announced that Ubuntu 16.04 LTS is certified on select Intel NUC Mini PCs and boards for IoT development. According to the Ubuntu blog post, this pairing "provides benefits to device manufacturers at every stage of their development journey and accelerates time to market." You can download the certified image from here. In other Canonical news, yesterday the company released a microcode firmware update for Ubuntu users with AMD processors to address the Spectre vulnerability, Softpedia reports. The updated amd64-microcode packages for AMD CPUs are available for Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 17.10 (Artful Aardvark), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 LTS (Trusty Tahr), "all AMD users are urged to update their systems."
  • Canonical issues Spectre v2 fix for all Ubuntu systems with AMD chips
    JUST WHEN YOU THOUGHT YOU'D HEARD THE END of Spectre, Canonical has released a microcode update for all Ubuntu users that have AMD processors in a bid to rid of the vulnerability. The Spectre microprocessor side-channel vulnerabilities were made public at the beginning of this year, affecting literally billions of devices that had been made in the past two decades.
  • A first look at desktop metrics
    We first announced our intention to ask users to provide basic, not-personally-identifiable system data back in February. Since then we have built the Ubuntu Report tool and integrated it in to the Ubuntu 18.04 LTS initial setup tool. You can see an example of the data being collected on the Ubuntu Report Github page.

Most secure Linux distros in 2018

Think of a Linux distribution as a bundle of software delivered together, based on the Linux kernel - a kernel being the core of a system that connects software to hardware and vice versa – with a GNU operating system and a desktop environment, giving the user a visual way to operate the system via a graphical user interface. Linux has a reputation as being more secure than Windows and Mac OS due to a combination of factors – not all of them about the software. Firstly, although desktop Linux users are on the up, Linux environments are far less common in the grand scheme of things than Windows devices on personal computers. The Linux community also tends to be more technical. There are technical reasons too, including fundamental differences in the way the distribution architecture tends to be structured. Nevertheless over the last decade security-focused distributions started to appear, which will appeal to the privacy-conscious user who wants to avoid the worldwide state-sanctioned internet spying that the west has pioneered and where it continues to innovate. Of course, none of these will guarantee your privacy, but they're a good start. Here we list some of them. It is worth noting that security best practices are often about process rather than the technology, avoiding careless mistakes like missing patches and updates, and using your common sense about which websites you visit, what you download, and what you plug into your computer. Read more

Red Hat and Fedora News

4MLinux 26.0 BETA released.

4MLinux 26.0 BETA is ready for testing. Basically, at this stage of development, 4MLinux BETA has the same features as 4MLinux STABLE, but it provides a huge number of updated packages, including major changes in the core of the system, which now uses the GNU C Library 2.27 and the GNU Compiler Collection 7.3.0. Read more